What Happened
On April 7, 2026, security research firm watchTowr publicly disclosed a two-vulnerability attack chain in Progress ShareFile Storage Zones Controller that enables pre-authenticated remote code execution. The chain combines CVE-2026-2699 and CVE-2026-2701, both affecting the 5.x branch of on-premise ShareFile deployments.
CVE-2026-2699 is an authentication bypass rooted in improper handling of HTTP redirects in the /ConfigService/Admin.aspx endpoint, a condition known as Execution After Redirect. An unauthenticated attacker sends a crafted request and receives access to restricted administrative functions without ever supplying valid credentials. From that foothold, the attacker modifies storage zone configuration settings, including file path parameters and the zone passphrase.
CVE-2026-2701 is an arbitrary file upload and extraction flaw. Combined with the authentication bypass from CVE-2026-2699, an attacker uploads a malicious archive that extracts an ASPX webshell into the application’s webroot. From there, the attacker executes arbitrary commands on the underlying server with the permissions of the ShareFile application process.
Progress released a fix in ShareFile 5.12.4 on March 10, 2026, following responsible disclosure by watchTowr. The researchers held publication until April 7, providing a 28-day patch window before full technical details were made public. As of watchTowr’s scan at the time of disclosure, approximately 700 internet-exposed Storage Zones Controller instances remained unpatched. The full disclosure includes working proof-of-concept code. BleepingComputer | watchTowr Labs
Why This Matters for Canadian Organizations
Progress ShareFile is a widely deployed managed file transfer and document collaboration platform used across Canadian enterprises, legal and professional services firms, healthcare networks, and government departments. Organizations in regulated sectors frequently rely on ShareFile to exchange sensitive documents with external parties, including contracts, financial records, and personal health information. Customer-managed Storage Zones Controller deployments — the affected component — are common in organizations with data sovereignty requirements, including those that must keep data within Canada under PIPEDA or provincial health privacy legislation.
The severity of this disclosure is amplified by the availability of working proof-of-concept code on the day of publication. Attack tooling for pre-auth RCE chains reaches opportunistic actors quickly. Organizations with internet-accessible ShareFile instances face immediate exploitation attempts. Progress ShareFile was previously a target of Clop ransomware in the MOVEit-era attacks of 2023, which affected Canadian universities, healthcare providers, and government contractors. The same file transfer sector continues to attract threat actors precisely because of the sensitive data these platforms handle.
Under Canada’s PIPEDA breach notification obligations, a compromise of a ShareFile Storage Zones Controller instance — which holds files exchanged with clients and counterparties — creates significant exposure to reporting requirements if personal information is accessed. Organizations should not wait for confirmed exploitation before patching.
What to Do
Update Progress ShareFile Storage Zones Controller to version 5.12.4 or later immediately. This fix was released on March 10, 2026, and is the only remediation available. There are no workarounds for CVE-2026-2699 or CVE-2026-2701.
If you cannot patch immediately, restrict internet access to the Storage Zones Controller management interface using network-level controls, limiting access to internal IP ranges only. Treat this as a temporary measure, not a substitute for patching.
Review ShareFile access logs covering March 10 to the date of your patch application. Look for unauthenticated requests to /ConfigService/Admin.aspx, unexpected file uploads through the admin interface, and any newly created .aspx files in webroot directories. Engage your incident response process if any indicators are found.
Organizations that have confirmed or suspected compromise should report to the Canadian Centre for Cyber Security at contact@cyber.gc.ca and assess obligations under PIPEDA breach notification rules and applicable provincial privacy legislation.
